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CERT-RMM  Overview 
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What  is  CERT®-RMM? 


The  CERT^  Resilience 
Management  Model  is  a 
maturity  model  for 
managing  and  improving 
operational  resilience. 


“...an  extensive  super¬ 
set  of  the  things  an 
organization  couid  do  to 
be  more  resiiient.  ” 

-  CERT-RMM  adopter 
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•  Process  improvement  for 
operational  resilience 

•  Converges  key  operational 
risk  management  activities: 
security,  BC/DR,  and  IT 
operations 

•  Defines  maturity  through 
capability  levels  (like  cmmi) 

•  Improves  confidence  in  how 
an  organization  responds  in 
times  of  operational  stress 
and  disruption 
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CERT-RMM:  26  Process  Areas  in  4  Categories 


Engineering 

ADM 

Asset  Definition  and  Management 

CTRL 

Controls  Management 

RRD 

Resilience  Requirements  Development 

RRM 

Resilience  Requirements  Management 

RISE 

Resilient  Technical  Solution  Engineering 

SC 

Service  Continuity 

Operations  Management 

AM 

Access  Management 

EC 

Environmental  Control 

EXD 

External  Dependencies 

ID 

Identity  Management 

IMC 

Incident  Management  &  Control 

KIM 

Knowledge  &  Information  Management 

PM 

People  Management 

TM 

Technology  Management 

VAR 

Vulnerability  Analysis  &  Resolution 

Enterprise  Management 

COMM 

Communications 

COMP 

Compliance 

EF 

Enterprise  Focus 

FRM 

Financial  Resource  Management 

HRM 

Human  Resource  Management 

OTA 

Organizational  Training  &  Awareness 

RISK 

Risk  Management 

Process  Management 

MA 

Measurement  and  Analysis 

MON 

Monitoring 

OPD 

Organizational  Process  Definition 

OPF 

Organizational  Process  Focus 

Full  text  of  each  process  area  is  available  for  download  at  www.cert.org/resilience 
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Service 


Organizational  Context 


Organization 

Mission 


CERT-RMM 

focuses  here 
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For  Comparison:  CERT-RMM  &  CMMI 


DEVELOPMENT 


OPERATION 
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What  Is  the  Question? 
What  Should  I  Measure? 
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How  Resilient  Am  I?  - 1 


When  asked: 

•  How  resilient  am  I? 

•  Am  I  resilient  enough? 

•  How  resilient  do  I  need  to  be? 

What  does  this  mean? 
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How  Resilient  Am  I?  -  2 


Do  I  need  to  worry  about  operational 
resilience? 

If  services  are  disrupted,  will  it  make 
the  news?  Will  I  end  up  in  court?  in 
jail?  Will  I  be  able  to  stay  in  business? 

Do  I  meet  compliance  requirements? 

How  resilient  am  I  compared  to  my 
competition? 


•  Do  I  need  to  spend  more  $$  on 
resilience?  If  so,  on  what? 


•  What  am  I  getting  for  the  $$  I’ve 
already  spent? 
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How  Resilient  Am  I?  -  3 


What  should  I  be  measuring  to 
determine  if  I  am  meeting  my 
performance  objectives  for  resilience? 


What  is  the  business  value  of  being 
more  resilient? 
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So  What?  Why  Should  I  Care?  (*) 

•  What  decisions  would  this  measure 
inform? 

•  What  actions  would  I  take  based  on  it? 

•  What  behaviors  would  it  affect? 

•  What  would  improvement  look  like? 

•  What  would  its  value  be  in  comparison  to 
other  measures? 


(*)  informed  by  Douglas  Hubbard,  Howto  Measure  Anything,  John  Wiley  &  Sons,  2010 
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What  Should  I  Measure? 


Determine  business  objectives  and 
key  questions 

Define  the  information  that  is  needed 
to  answer  the  question 

Quaiify  and  quantify  the  information 
in  the  form  of  measures 


Anaiyze  the  measures  and  report  out 

Quantify  the  value  of  each  measure 
(cost/benefit) 


Refine  and  retire  measures  as  you  go 
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Who,  What,  Where,  When,  Why,  How 

Who  is  the  measure  for?  Who  are  the  stakeholders?  Who 
collects  the  measurement  data? 

What  is  being  measured?  As  part  of  what  process? 

Where  is  the  data/information  stored? 

When/how  frequently  are  the  measures  collected? 

Why  is  the  measure  important  (vs.  others)?  The  most 
meaningful  information  is  conveyed  by  reporting  trends  over 
time  vs.  point  in  time  measures. 

How  is  the  data  collected?  How  is  the  measure  presented? 
How  is  the  measure  used? 
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Measurement 
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Measurement  Types 


Implementation 

•  Is  this  process/activity/practice  being 
performed? 

Effectiveness 

•  How  good  is  the  work  product  or  outcome  of 
the  process/activity/practice?  Does  it  achieve 
the  intended  result? 

Process  performance 


•  Is  the  process  performing  as  expected?  Is  it 
efficient?  Can  it  be  planned?  Is  it  predictive? 
Is  it  in  control? 
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Measurement  Template 

•  Measure  Name/ID 

•  Goal 

•  Question(s) 

•  Related  Processes/ 
Procedures 

•  Visual  Display 


Data  Reporting  (By,  To 
whom,  When,  How  often) 

Data  Storage  (Where, 
How,  Access  control) 

Stakeholders 
(Information  owner(s), 
collector(s),  customer(s)) 


Data  Input(s)  (Data 
elements.  Data  type) 

Data  Collection  (How, 
When,  How  often.  By 
whom) 


Algorithm  or  Formula 

Interpretation  or 
Expected  Value(s) 
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A  Few  Strategic  Measures 
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Given  Organizational  Objectives  . . . 

Measure  1 

Percentage  of  resilience  “activities”(*)  that 
do  not  directly  (or  indirectly)  support  one 
or  more  organizational  objectives 


Measure  2 

For  each  resilience  “activity,”  number  of 
organizational  objectives  that  require  it  to 
be  satisfied  (goal  is  =  or  >  1 ) 

(*)  “Activity”  can  be  a  project,  task,  performance 
objective,  investment,  etc.  It  represents  some 
meaningful  decomposition  of  the  resilience  program. 
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Given  High-Value  Services  and  Assets  . . . 

Measure  3 

Percentage  of  high-value  services  that  do  not 
satisfy  their  allocated  resilience  requirements(*) 


..  ^  people  information  technology  facilities 

Measure  4 

Percentage  of  high-value  assets(-i-)  that  do  not 
satisfy  their  allocated  resilience  requirements(*) 


(*)  confidentiality,  availability,  integrity;  (+)  technology, 
information,  facilities,  people 
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Given  Controls 


Measure  5 

Percentage  of  high-value  services 
with  controls  that  are  ineffective  or 
inadequate 


Measure  6 

Percentage  of  high-value  assets 
with  controls  that  are  ineffective  or 
inadequate 
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Given  Risks 


Measure  7 

Confidence  factor  that  risksn  from  all 
sources  that  need  to  be  identified  have 
been  identified 


Measure  8 

Percentage  of  risks  with  impact 
above  threshold 


(*)  to  high-value  assets  that  could  adversely  affect 
the  operation  and  delivery  of  high-value  services 
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Given  a  Disruptive  Event  f ) 

Measure  9 

Probability  of  delivered  service  through 
a  disruptive  event 


Measure  10 

For  disrupted,  high-value  services  with  a 
service  continuity  plan,  percentage  of 
services  that  did  not  deliver  service  as 
intended  throughout  the  disruptive  event 


(*)  An  incident,  a  break  in  service  continuity, 
a  man-made  or  natural  disaster  or  crisis 
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Top  Ten  Strategic  Measures 


1.  Percentage  of  resilience  “activities”  that 
do  nof  directly  (or  indirectly)  support  one 
or  more  organizational  objectives 

2.  For  each  resilience  “activity,”  number  of 
organizational  objectives  that  require  it  to 
be  satisfied  (goal  is  =  or  >  1) 

3.  Percentage  of  high-value  serwcesthat 
do  not  satisfy  their  allocated  resilience 
requirements 

4.  Percentage  of  high-value  assets  that  do 
not  satisfy  their  allocated  resilience 
requirements 

5.  Percentage  of  high-value  serwceswith 
controls  that  are  ineffective  or  inadequate 


6.  Percentage  of  high-value  assets  with 
controls  that  are  ineffective  or  inadequate 


7.  Confidence  factor  that  risks  from  all 
sources  that  need  to  be  identified  have 
been  identified 


8.  Percentage  of  risks  with  impact  above 
threshold 


9.  Probability  of  delivered  service  through  a 
disruptive  event 

10.  For  disrupted,  high-value  services  with  a 
service  continuity  plan,  percentage  of 
services  that  c//c/nof  deliver  service  as 
intended  throughout  the  disruptive  event 
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If  These  Don’t  Work  For  You  . . . 


Identify  the  high-level  objectives  for  your  resilience 
program 

Define  measures  that  demonstrate  the  extent  to  which 
objectives  are  (or  are  not)  being  met 

Make  sure  the  measures  you  are  currently  reporting 
support  one  or  more  objectives 

Measurement  is  expensive;  collect  and  report  measures 
that  inform  decisions  and  affect  behavior 
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Getting  Started 
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To  Get  Started 


Identify  sponsors  and  key  stakeholders 

Define  resilience  objectives  and  key 
questions 

Determine  information  and  processes 
that  inform  these 

Define  and  vet  a  small  number  of  key 
measures 


Collect,  analyze,  report,  refine 

Put  a  measurement  process  in  place 
(start  small) 
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